Extending center cluster membership to additional compute resources

ABSTRACT

The present technology addresses a need to automatically configure a new compute resource to join an existing cluster of computing resources. The present technology provides a mechanism to ensure that the new compute resource is executing the same kernel version which further permits subsequent exchange at least one configuration message informing the new compute resource of necessary configuration parameters and an address to retrieve required software packages.

CROSS-REFERENCE TO RELATED APPLICATION

The present application claims the priority benefit of U.S. patentapplication No. 62/770,143, filed Nov. 20, 2018, entitled “EXTENDINGCENTER CLUSTER MEMBERSHIP TO ADDITIONAL COMPUTE RESOURCES,” thedisclosure of which is incorporated herein by reference.

TECHNICAL FIELD

The subject matter of this disclosure relates in general to technologiesfor improving the operation of a network, and more particularly, toimproving addition of computing resources to an existing cluster ofcomputing resources on the network.

BACKGROUND

A campus network can provide connectivity to computing devices (e.g.,servers, workstations, desktop computers, laptop computers, tablets,mobile phones, etc.) and things (e.g., desk phones, security cameras,lighting, heating, ventilating, and air-conditioning (HVAC), windows,doors, locks, medical devices, industrial and manufacturing equipment,etc.) within environments such as offices, hospitals, colleges anduniversities, oil and gas facilities, factories, and similar locations.Some of the unique challenges a campus network may face includeintegrating wired and wireless devices, on-boarding computing devicesand things that can appear anywhere in the network and maintainingconnectivity when the devices and things migrate from location tolocation within the network, supporting bring your own device (BYOD)capabilities, connecting and powering Internet-of-Things (IoT) devices,and securing the network despite the vulnerabilities associated withWi-Fi access, device mobility, BYOD, and IoT. Current approaches fordeploying a network capable of providing these functions often requireconstant and extensive configuration and administration by highlyskilled network engineers operating several different systems (e.g.,directory-based identity services; authentication, authorization, andaccounting (AAA) services, wireless local area network (WLAN)controllers; command line interfaces for each switch, router, or othernetwork device of the network; etc.) and manually stitching thesesystems together. This can make network deployment difficult andtime-consuming, and impede the ability of many organizations to innovaterapidly and to adopt new technologies, such as video, collaboration, andconnected workspaces.

BRIEF DESCRIPTION OF THE FIGURES

To provide a complete understanding of the present disclosure andfeatures and advantages thereof, reference is made to the followingdescription, taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 illustrates an example of a physical topology of an enterprisenetwork in accordance with an embodiment;

FIG. 2 illustrates an example of a logical architecture for anenterprise network in accordance with an embodiment;

FIGS. 3A-3I illustrate examples of graphical user interfaces for anetwork management system in accordance with an embodiment;

FIG. 4 illustrates an example of a physical topology for a multi-siteenterprise network in accordance with an embodiment;

FIG. 5 illustrates a ladder diagram showing an example method inaccordance with some embodiments of the present technology;

FIG. 6 illustrates an example of systems in accordance with someembodiments.

DESCRIPTION OF EXAMPLE EMBODIMENTS

The detailed description set forth below is intended as a description ofvarious configurations of embodiments and is not intended to representthe only configurations in which the subject matter of this disclosurecan be practiced. The appended drawings are incorporated herein andconstitute a part of the detailed description. The detailed descriptionincludes specific details for the purpose of providing a more thoroughunderstanding of the subject matter of this disclosure. However, it willbe clear and apparent that the subject matter of this disclosure is notlimited to the specific details set forth herein and may be practicedwithout these details. In some instances, structures and components areshown in block diagram form in order to avoid obscuring the concepts ofthe subject matter of this disclosure.

Overview

The present technology provides for provisioning new resources to acomputing cluster with minimal administrator involvement. While variousprovisioning and orchestration technologies might exist, they are proneto problems wherein new resources may be running incompatible, ornon-ideal software of configurations for membership in a computingcluster, which leads to administrator time to troubleshoot and thenultimately install new software and reconfigure the cluster. The presenttechnology provides for a mechanism whereby existing cluster members caninform a new computing resource of the appropriate configurations, andsoftware versions required to participate in the cluster optimally.Furthermore, the existing cluster members can even provide theappropriate software packages, or a reference to acquire the appropriatesoftware packages, in an executable format such that the new resourcecan automatically install the software and join the cluster and be fullyand properly configured.

The present technology provides for sending, by a new computingresource, a request to join a computing cluster to at least one memberof the computing cluster. The new computing resource can receive, in oneor more communications, a reply from the member of the computing clusterthat includes metadata describing requirements to join the computingcluster and describing a software bundle used by devices in thecomputing cluster. The new computing resource can download and installthe software bundle, and then establish membership in the computingcluster.

The present technology can include a variety of system componentsincluding, among other potential components, a management cloud, anexisting member of the cluster, a new resource to join the cluster, asoftware package repository, and a certificate authority. The existingmember of the cluster is configured to receive a request for informationneeded to join the cluster of computing resources from a new computingresource, and in response, to send information describing protocols,identification of a software package, information for retrieving thesoftware package, configuration parameters, and authenticationinformation to the new computing resource.

The software package repository is configured to receive a request fromthe new computing resource and in response, to provide the softwarepackage to the new computing resource. Thereafter the new computingresource can receive the response from the software package repositoryand execute the software package, thereby configuring the new computingresource with all necessary software and configurations to join thecluster of computing resources.

The certificate authority is configured to receive a request toauthenticate the new computing resource and to accept the new computingresource as a member of the cluster of computing resources, and inresponse, to accept the membership of the new computing resource

Example Embodiments

Intent-based networking is an approach for overcoming the deficiencies,discussed above and elsewhere in the present disclosure, of conventionalenterprise networks. The motivation of intent-based networking is toenable a user to describe in plain language what he or she wants toaccomplish (e.g., the user's intent) and have the network translate theuser's objective into configuration and policy changes that areautomatically propagated across a complex and heterogeneous computingenvironment. Thus, an intent-based network can abstract networkcomplexity, automate much of the work of provisioning and managing thenetwork typically handled by a network administrator, and assure secureoperation and optimal performance of the network. As an intent-basednetwork becomes aware of the users, devices, and things makingconnections in the network, it can automatically apply securitypermissions and service levels in accordance with the privileges andquality of experience (QoE) assigned to the users, devices, and things.Table 1 sets forth examples of intents and workflows that can beautomated by an intent-based network to achieve the desired outcome.

TABLE 1 Examples of Intents and Associated Workflows Intent Workflow Ineed to scale out my Extend network segments; update load balancerconfiguration; application database configure quality of service (QoS) Ihave scheduled a Create high-definition (HD) video connection;prioritize with telemedicine session end-to-end QoS; validateperformance; keep the communication at 10 am safe; tear down connectionafter call I am rolling out a new IoT Create a new segment for allfactory devices to connect to the app for factory equipment IoT app;isolate from other traffic; apply service level agreement monitoring(SLA); validate SLA; optimize traffic flow I need to deploy a secureProvision multiple networks and subnets; configure access multi-tierapplication control lists (ACLs) and firewall rules; advertise routinginformation

FIG. 1 illustrates an example of a physical topology of an enterprisenetwork 100 for providing intent-based networking. It should beunderstood that, for the enterprise network 100 and any networkdiscussed herein, there can be additional or fewer nodes, devices,links, networks, or components in similar or alternative configurations.Example embodiments with different numbers and/or types of endpoints,nodes, cloud components, servers, software components, devices, virtualor physical resources, configurations, topologies, services, appliances,or deployments are also contemplated herein. Further, the enterprisenetwork 100 can include any number or type of resources, which can beaccessed and utilized by endpoints or network devices. The illustrationsand examples provided herein are for clarity and simplicity.

In this example, the enterprise network 100 includes a management cloud102 and a network fabric 120. Although shown as an external network orcloud to the network fabric 120 in this example, the management cloud102 may alternatively or additionally reside on the premises of anorganization or in a colocation center (in addition to being hosted by acloud provider or similar environment). The management cloud 102 canprovide a central management plane for building and operating thenetwork fabric 120. The management cloud 102 can be responsible forforwarding configuration and policy distribution, as well as devicemanagement and analytics. The management cloud 102 can comprise one ormore network controller appliances 104, one or more authentication,authorization, and accounting (AAA) appliances 106, one or more wirelesslocal area network controllers (WLCs) 108, and one or more fabriccontrol plane nodes 110. In other embodiments, one or more elements ofthe management cloud 102 may be co-located with the network fabric 120.

The network controller appliance(s) 104 can function as the command andcontrol system for one or more network fabrics and can house automatedworkflows for deploying and managing the network fabric(s). The networkcontroller appliance(s) 104 can include automation, design, policy,provisioning, and assurance capabilities, among others, as discussedfurther below with respect to FIG. 2. In some embodiments, one or moreCisco Digital Network Architecture (Cisco DNA™) appliances can operateas the network controller appliance(s) 104.

The AAA appliance(s) 106 can control access to computing resources,facilitate enforcement of network policies, audit usage, and provideinformation necessary to bill for services. The AAA appliance caninteract with the network controller appliance(s) 104 and with databasesand directories containing information for users, devices, things,policies, billing, and similar information to provide authentication,authorization, and accounting services. In some embodiments, the AAAappliance(s) 106 can utilize Remote Authentication Dial-In User Service(RADIUS) or Diameter to communicate with devices and applications. Insome embodiments, one or more Cisco® Identity Services Engine (ISE)appliances can operate as the AAA appliance(s) 106.

The WLC(s) 108 can support fabric-enabled access points attached to thenetwork fabric 120, handling traditional tasks associated with a WLC aswell as interactions with the fabric control plane for wireless endpointregistration and roaming. In some embodiments, the network fabric 120can implement a wireless deployment that moves data-plane termination(e.g., VXLAN) from a centralized location (e.g., with previous overlayControl and Provisioning of Wireless Access Points (CAPWAP) deployments)to an access point/fabric edge node. This can enable distributedforwarding and distributed policy application for wireless traffic whileretaining the benefits of centralized provisioning and administration.In some embodiments, one or more Cisco® Wireless Controllers, Cisco®Wireless LAN, and/or other Cisco DNA™-ready wireless controllers canoperate as the WLC(s) 108.

The network fabric 120 can comprise fabric border nodes 122A and 122B(collectively, 122), fabric intermediate nodes 124A-D (collectively,124), and fabric edge nodes 126A-F (collectively, 126). Although thefabric control plane node(s) 110 are shown to be external to the networkfabric 120 in this example, in other embodiments, the fabric controlplane node(s) 110 may be co-located with the network fabric 120. Inembodiments where the fabric control plane node(s) 110 are co-locatedwith the network fabric 120, the fabric control plane node(s) 110 maycomprise a dedicated node or set of nodes or the functionality of thefabric control node(s) 110 may be implemented by the fabric border nodes122.

The fabric control plane node(s) 110 can serve as a central database fortracking all users, devices, and things as they attach to the networkfabric 120, and as they roam around. The fabric control plane node(s)110 can allow network infrastructure (e.g., switches, routers, WLCs,etc.) to query the database to determine the locations of users,devices, and things attached to the fabric instead of using a flood andlearn mechanism. In this manner, the fabric control plane node(s) 110can operate as a single source of truth about where every endpointattached to the network fabric 120 is located at any point in time. Inaddition to tracking specific endpoints (e.g., /32 address for IPv4,/128 address for IPv6, etc.), the fabric control plane node(s) 110 canalso track larger summarized routers (e.g., IP/mask). This flexibilitycan help in summarization across fabric sites and improve overallscalability.

The fabric border nodes 122 can connect the network fabric 120 totraditional Layer 3 networks (e.g., non-fabric networks) or to differentfabric sites. The fabric border nodes 122 can also translate context(e.g., user, device, or thing mapping and identity) from one fabric siteto another fabric site or to a traditional network. When theencapsulation is the same across different fabric sites, the translationof fabric context is generally mapped 1:1. The fabric border nodes 122can also exchange reachability and policy information with fabriccontrol plane nodes of different fabric sites. The fabric border nodes122 also provide border functions for internal networks and externalnetworks. Internal borders can advertise a defined set of known subnets,such as those leading to a group of branch sites or to a data center.External borders, on the other hand, can advertise unknown destinations(e.g., to the Internet similar in operation to the function of a defaultroute).

The fabric intermediate nodes 124 can operate as pure Layer 3 forwardersthat connect the fabric border nodes 122 to the fabric edge nodes 126and provide the Layer 3 underlay for fabric overlay traffic.

The fabric edge nodes 126 can connect endpoints to the network fabric120 and can encapsulate/decapsulate and forward traffic from theseendpoints to and from the network fabric. The fabric edge nodes 126 mayoperate at the perimeter of the network fabric 120 and can be the firstpoints for attachment of users, devices, and things and theimplementation of policy. In some embodiments, the network fabric 120can also include fabric extended nodes (not shown) for attachingdownstream non-fabric Layer 2 network devices to the network fabric 120and thereby extend the network fabric. For example, extended nodes canbe small switches (e.g., compact switch, industrial Ethernet switch,building automation switch, etc.) which connect to the fabric edge nodesvia Layer 2. Devices or things connected to the fabric extended nodescan use the fabric edge nodes 126 for communication to outside subnets.

In this example, the network fabric can represent a single fabric sitedeployment which can be differentiated from a multi-site fabricdeployment as discussed further below with respect to FIG. 4.

In some embodiments, all subnets hosted in a fabric site can beprovisioned across every fabric edge node 126 in that fabric site. Forexample, if the subnet 10.10.10.0/24 is provisioned in a given fabricsite, this subnet may be defined across all of the fabric edge nodes 126in that fabric site, and endpoints located in that subnet can be placedon any fabric edge node 126 in that fabric. This can simplify IP addressmanagement and allow deployment of fewer but larger subnets. In someembodiments, one or more Cisco® Catalyst switches, Cisco Nexus®switches, Cisco Meraki® MS switches, Cisco® Integrated Services Routers(ISRs), Cisco® Aggregation Services Routers (ASRs), Cisco® EnterpriseNetwork Compute Systems (ENCS), Cisco® Cloud Service Virtual Routers(CSRvs), Cisco Integrated Services Virtual Routers (ISRvs), CiscoMeraki® MX appliances, and/or other Cisco DNA-Ready™ devices can operateas the fabric nodes 122, 124, and 126.

The enterprise network 100 can also include wired endpoints 130A, 130C,130D, and 130F and wireless endpoints 130B and 130E (collectively, 130).The wired endpoints 130A, 130C, 130D, and 130F can connect by wire tofabric edge nodes 126A, 126C, 126D, and 126F, respectively, and thewireless endpoints 130B and 130E can connect wirelessly to wirelessaccess points 128B and 128E (collectively, 128), respectively, which inturn can connect by wire to fabric edge nodes 126B and 126E,respectively. In some embodiments, Cisco Aironet® access points, CiscoMeraki® MR access points, and/or other Cisco DNA™-ready access pointscan operate as the wireless access points 128.

The endpoints 130 can include general purpose computing devices (e.g.,servers, workstations, desktop computers, etc.), mobile computingdevices (e.g., laptops, tablets, mobile phones, etc.), wearable devices(e.g., watches, glasses or other head-mounted displays (HMDs), eardevices, etc.), and so forth. The endpoints 130 can also includeInternet of Things (IoT) devices or equipment, such as agriculturalequipment (e.g., livestock tracking and management systems, wateringdevices, unmanned aerial vehicles (UAVs), etc.); connected cars andother vehicles; smart home sensors and devices (e.g., alarm systems,security cameras, lighting, appliances, media players, HVAC equipment,utility meters, windows, automatic doors, door bells, locks, etc.);office equipment (e.g., desktop phones, copiers, fax machines, etc.);healthcare devices (e.g., pacemakers, biometric sensors, medicalequipment, etc.); industrial equipment (e.g., robots, factory machinery,construction equipment, industrial sensors, etc.); retail equipment(e.g., vending machines, point of sale (POS) devices, Radio FrequencyIdentification (RFID) tags, etc.); smart city devices (e.g., streetlamps, parking meters, waste management sensors, etc.); transportationand logistical equipment (e.g., turnstiles, rental car trackers,navigational devices, inventory monitors, etc.); and so forth.

In some embodiments, the network fabric 120 can support wired andwireless access as part of a single integrated infrastructure such thatconnectivity, mobility, and policy enforcement behavior are similar orthe same for both wired and wireless endpoints. This can bring a unifiedexperience for users, devices, and things that are independent of theaccess media.

In integrated wired and wireless deployments, control plane integrationcan be achieved with the WLC(s) 108 notifying the fabric control planenode(s) 110 of joins, roams, and disconnects by the wireless endpoints130 such that the fabric control plane node(s) can have connectivityinformation about both wired and wireless endpoints in the networkfabric 120, and can serve as the single source of truth for endpointsconnected to the network fabric. For data plane integration, the WLC(s)108 can instruct the fabric wireless access points 128 to form a VXLANoverlay tunnel to their adjacent fabric edge nodes 126. The AP VXLANtunnel can carry segmentation and policy information to and from thefabric edge nodes 126, allowing connectivity and functionality identicalor similar to that of a wired endpoint. When the wireless endpoints 130join the network fabric 120 via the fabric wireless access points 128,the WLC(s) 108 can onboard the endpoints into the network fabric 120 andinform the fabric control plane node(s) 110 of the endpoints' MediaAccess Control (MAC) addresses. The WLC(s) 108 can then instruct thefabric wireless access points 128 to form VXLAN overlay tunnels to theadjacent fabric edge nodes 126. Next, the wireless endpoints 130 canobtain IP addresses for themselves via Dynamic Host ConfigurationProtocol (DHCP). Once that completes, the fabric edge nodes 126 canregister the IP addresses of the wireless endpoint 130 to the fabriccontrol plane node(s) 110 to form a mapping between the endpoints' MACand IP addresses, and traffic to and from the wireless endpoints 130 canbegin to flow.

FIG. 2 illustrates an example of a logical architecture 200 for anenterprise network (e.g., the enterprise network 100). One of ordinaryskill in the art will understand that, for the logical architecture 200and any system discussed in the present disclosure, there can beadditional or fewer components in similar or alternative configurations.The illustrations and examples provided in the present disclosure arefor conciseness and clarity. Other embodiments may include differentnumbers and/or types of elements but one of ordinary skill the art willappreciate that such variations do not depart from the scope of thepresent disclosure. In this example, the logical architecture 200includes a management layer 202, a controller layer 220, a network layer230 (such as embodied by the network fabric 120), a physical layer 240(such as embodied by the various elements of FIG. 1), and a sharedservices layer 250.

The management layer 202 can abstract the complexities and dependenciesof other layers and provide a user with tools and workflows to manage anenterprise network (e.g., the enterprise network 100). The managementlayer 202 can include a user interface 204, design functions 206, policyfunctions 208, provisioning functions 210, assurance functions 212,platform functions 214, and base automation functions 216. The userinterface 204 can provide a user with a single point to manage andautomate the network. The user interface 204 can be implemented within aweb application/web server accessible by a web browser and/or anapplication/application server accessible by a desktop application, amobile app, a shell program or other command line interface (CLI), anApplication Programming Interface (e.g., restful state transfer (REST),Simple Object Access Protocol (SOAP), Service Oriented Architecture(SOA), etc.), and/or another suitable interface in which the user canconfigure network infrastructure, devices, and things that arecloud-managed; provide user preferences; specify policies, enter data;review statistics; configure interactions or operations; and so forth.The user interface 204 may also provide visibility information, such asviews of a network, network infrastructure, computing devices, andthings. For example, the user interface 204 can provide a view of thestatus or conditions of the network, the operations taking place,services, performance, topology or layout, protocols implemented,running processes, errors, notifications, alerts, network structure,ongoing communications, data analysis, and so forth.

The design functions 206 can include tools and workflows for managingsite profiles, maps, and floor plans, network settings, and IP addressmanagement, among others. The policy functions 208 can include tools andworkflows for defining and managing network policies. The provisioningfunctions 210 can include tools and workflows for deploying the network.The assurance functions 212 can use machine learning and analytics toprovide end-to-end visibility of the network by learning from thenetwork infrastructure, endpoints, and other contextual sources ofinformation. The platform functions 214 can include tools and workflowsfor integrating the network management system with other technologies.The base automation functions 216 can include tools and workflows tosupport the policy functions 208, the provisioning functions 210, theassurance functions 212, and the platform functions 214.

In some embodiments, the design functions 206, the policy functions 208,the provisioning functions 210, the assurance functions 212, theplatform functions 214, and the base automation functions 216 can beimplemented as microservices in which respective software functions areimplemented in multiple containers communicating with each rather thanamalgamating all tools and workflows into a single software binary. Eachof the design functions 206, policy functions 208, provisioningfunctions 210, assurance functions 212, and platform functions 214 canbe viewed as a set of related automation microservices to cover thedesign, policy authoring, provisioning, assurance, and cross-platformintegration phases of the network lifecycle. The base automationfunctions 214 can support the top-level functions by allowing users toperform certain network-wide tasks.

FIGS. 3A-3I illustrate examples of graphical user interfaces forimplementing the user interface 204. Although FIGS. 3A-3I show thegraphical user interfaces as comprising web pages displayed in a browserexecuting on a large form-factor general purpose computing device (e.g.,server, workstation, desktop, laptop, etc.), the principles disclosed inthe present disclosure are widely applicable to client devices of otherform factors, including tablet computers, smartphones, wearable devices,or other small form-factor general purpose computing devices;televisions; set-top boxes; IoT devices; and other electronic devicescapable of connecting to a network and including input/output componentsto enable a user to interact with a network management system. One ofordinary skill will also understand that the graphical user interfacesof FIGS. 3A-3I are but one example of a user interface for managing anetwork. Other embodiments may include a fewer number or a greaternumber of elements.

FIG. 3A illustrates a graphical user interface 300A, which is an exampleof a landing screen or a home screen of the user interface 204. Thegraphical user interface 300A can include user interface elements forselecting the design functions 206, the policy functions 208, theprovisioning functions 210, the assurance functions 212, and theplatform functions 214. The graphical user interface 300A also includesuser interface elements for selecting the base automation functions 216.In this example, the base automation functions 216 include:

-   -   A network discovery tool 302 for automating the discovery of        existing network elements to populate into inventory;    -   An inventory management tool 304 for managing the set of        physical and virtual network elements;    -   A topology tool 306 for visualizing the physical topology of        network elements;    -   An image repository tool 308 for managing software images for        network elements;    -   A command runner tool 310 for diagnosing one or more network        elements based on a CLI;    -   A license manager tool 312 for administering visualizing        software license usage in the network;    -   A template editor tool 314 for creating and authoring CLI        templates associated with network elements in a design profile;    -   A network PnP tool 316 for supporting the automated        configuration of network elements;    -   A telemetry tool 318 for designing a telemetry profile and        applying the telemetry profile to network elements; and    -   A data set and reports tool 320 for accessing various data sets,        scheduling data extracts, and generating reports in multiple        formats (e.g., Post Document Format (PDF), comma-separated        values (CSV), Tableau, etc.), such as an inventory data report,        a software image management (SWIM) server report, and a client        data report, among others.

FIG. 3B illustrates a graphical user interface 300B, an example of alanding screen for the design functions 206. The graphical userinterface 300B can include user interface elements for various tools andworkflows for logically defining an enterprise network. In this example,the design tools and workflows include:

-   -   A network hierarchy tool 322 for setting up the geographic        location, building, and floor plane details, and associating        these with a unique site id;    -   A network settings tool 324 for setting up network servers        (e.g., Domain Name System (DNS), DHCP, AAA, etc.), device        credentials, IP address pools, service provider profiles (e.g.,        QoS classes for a WAN provider), and wireless settings;    -   An image management tool 326 for managing software images and/or        maintenance updates, setting version compliance, and downloading        and deploying images;    -   A network profiles tool 328 for defining LAN, WAN, and WLAN        connection profiles (including Service Set Identifiers (SSIDs));        and    -   An authentication template tool 330 for defining modes of        authentication (e.g., closed authentication, Easy Connect, open        authentication, etc.).

The output of the design workflow 206 can include a hierarchical set ofunique site identifiers that define the global and forwardingconfiguration parameters of the various sites of the network. Theprovisioning functions 210 may use the site identifiers to deploy thenetwork.

FIG. 3C illustrates a graphical user interface 300C, an example of alanding screen for the policy functions 208. The graphical userinterface 300C can include various tools and workflows for definingnetwork policies. In this example, the policy design tools and workflowsinclude:

-   -   A policy dashboard 332 for viewing virtual networks, group-based        access control policies, IP-based access control policies,        traffic copy policies, scalable groups, and IP network groups.        The policy dashboard 332 can also show the number of policies        that have failed to deploy. The policy dashboard 332 can provide        a list of policies and the following information about each        policy: policy name, policy type, policy version (e.g.,        iteration of policy which can be incremented each time the        policy changes, user who has modified the policy, description,        policy scope (e.g., user and device groups or applications that        the policy effects), and timestamp;    -   A group-based access control policies tool 334 for managing        group-based access controls or SGACLs. A group-based access        control policy can define scalable groups and an access contract        (e.g., rules that make up the access control policies, such as        to permit or deny when traffic matches on the policy);    -   An IP-based access control policies tool 336 for managing        IP-based access control policies. An IP-based access control can        define an IP network group (e.g., IP subnets that share same        access control requirements) and an access contract;    -   An application policies tool 338 for configuring QoS for        application traffic. An application policy can define        application sets (e.g., sets of applications that with similar        network traffic needs) and a site scope (e.g., the site to which        an application policy is defined);    -   A traffic copy policies tool 340 for setting up an Encapsulated        Remote Switched Port Analyzer (ERSPAN) configuration such that        network traffic flow between two entities is copied to a        specified destination for monitoring or troubleshooting. A        traffic copy policy can define the source and destination of the        traffic flow to copy and a traffic copy contract that specifies        the device and interface where the copy of traffic is sent; and    -   A virtual network policies tool 343 for segmenting the physical        network into multiple logical networks.

The output of the policy workflow 208 can include a set of virtualnetworks, security groups, and access and traffic policies that definethe policy configuration parameters of the various sites of the network.The provisioning functions 210 may use virtual networks, groups, andpolicies for deployment in the network.

FIG. 3D illustrates a graphical user interface 300D, an example of alanding screen for the provisioning functions 210. The graphical userinterface 300D can include various tools and workflows for deploying thenetwork. In this example, the provisioning tools and workflows include:

-   -   A device provisioning tool 344 for assigning devices to the        inventory and deploying the required settings and policies, and        adding devices to sites; and    -   A fabric provisioning tool 346 for creating fabric domains and        adding devices to the fabric.

The output of the provisioning workflow 210 can include the deploymentof the network underlay and fabric overlay, as well as policies (definedin the policy workflow 208).

FIG. 3E illustrates a graphical user interface 300E, an example of alanding screen for the assurance functions 212. The graphical userinterface 300E can include various tools and workflows for managing thenetwork. In this example, the assurance tools and workflows include:

-   -   A health overview tool 344 for providing a global view of the        enterprise network, including network infrastructure devices and        endpoints. The user interface element (e.g., drop-down menu, a        dialog box, etc.) associated with the health overview tool 344        can also be toggled to switch to additional or alternative        views, such as a view of the health of network infrastructure        devices alone, a view of the health of all wired and wireless        clients, and a view of the health of applications running in the        network as discussed further below with respect to FIGS. 3F-3H;    -   An assurance dashboard tool 346 for managing and creating custom        dashboards;    -   An issues tool 348 for displaying and troubleshooting network        issues; and    -   A sensor management tool 350 for managing sensor-driven tests.

The graphical user interface 300E can also include a location selectionuser interface element 352, a time period selection user interfaceelement 354, and a view type user interface element 356. The locationselection user interface element 354 can enable a user to view theoverall health of specific sites (e.g., as defined via the networkhierarchy tool 322) and/or network domains (e.g., LAN, WLAN, WAN, datacenter, etc.). The time period selection user interface element 356 canenable display of the overall health of the network over specific timeperiods (e.g., last 3 hours, last 24 hours, last 7 days, custom, etc.).The view type user interface element 355 can enable a user to togglebetween a geographical map view of the sites of the network (not shown)or a hierarchical site/building view (as shown).

Within the hierarchical site/building view, rows can represent thenetwork hierarchy (e.g., sites and buildings as defined by the networkhierarchy tool 322); column 358 can indicate the number of healthyclients as a percentage; column 360 can indicate the health of wirelessclients by a score (e.g., 1-10), color and/or descriptor (e.g., red orcritical associated with a health score 1 to 3 indicating the clientshave critical issues, orange or warning associated with a health scoreof 4 to 7 indicating warnings for the clients, green or no errors orwarnings associated with a health score of 8 to 10, grey or no dataavailable associated with a health score of null or 0), or otherindicator; column 362 can indicate the health of wired clients by score,color, descriptor, and so forth; column 364 can include user interfaceelements for drilling down to the health of the clients associated witha hierarchical site/building; column 366 can indicate the number ofhealthy network infrastructure devices as a percentage; column 368 canindicate the health of access switches by score, color, descriptor, andso forth; column 370 can indicate the health of core switches by score,color, descriptor, and so forth; column 372 can indicate the health ofdistribution switches by score, color, descriptor, and so forth; column374 can indicate the health of routers by score, color, descriptor, andso forth; column 376 can indicate the health of WLCs by score, color,descriptor, and so forth; column 378 can indicate the health of othernetwork infrastructure devices by score, color, descriptor, and soforth; and column 380 can include user interface elements for drillingdown to the health of the network infrastructure devices associated witha hierarchical site/building. In other embodiments, client devices maybe grouped in other ways besides wired or wireless, such as by devicetype (e.g., desktop, laptop, mobile phone, IoT device or more specifictype of IoT device, etc.), manufacturer, model, operating system, and soforth. Likewise, network infrastructure devices can also be groupedalong these and other ways in additional embodiments.

The graphical user interface 300E can also include an overall healthsummary user interface element (e.g., a view, pane, tile, card,container, widget, dashlet, etc.) that includes a client health summaryuser interface element 384 indicating the number of healthy clients as apercentage, a color-coded trend chart 386 indicating that percentageover a specific time period (e.g., as selected by the time periodselection user interface element 354), a user interface element 388breaking down the number of healthy clients as a percentage by clienttype (e.g., wireless, wired), a network infrastructure health summaryuser interface element 390 indicating the number of health networkinfrastructure devices as a percentage, a color-coded trend chart 392indicating that percentage over a specific time period, and a userinterface element 394 breaking down the number of network infrastructuredevices as a percentage by network infrastructure device type (e.g.,core switch, access switch, distribution switch, etc.).

The graphical user interface 300E can also include an issues userinterface element 396 listing issues, if any, that must be addressed.Issues can be sorted based on timestamp, severity, location, devicetype, and so forth. Each issue may be selected to drill down to view amore detailed view of the selected issue.

FIG. 3F illustrates a graphical user interface 300F, an example of ascreen for an overview of the health of network infrastructure devicesalone, which may be navigated to, for instance, by toggling the healthoverview tool 344. The graphical user interface 300F can include atimeline slider 398 for selecting a more granular time range than a timeperiod selection user interface element (e.g., the time period selectionuser interface element 354). The graphical user interface 300F can alsoinclude similar information to that shown in the graphical userinterface 300E, such as a user interface element comprising ahierarchical site/building view and/or geographical map view similar tothat of the graphical user interface 300E (except providing informationonly for network infrastructure devices) (not shown here), the number ofhealthy network infrastructure devices as a percentage 390, thecolor-coded trend charts 392 indicating that percentage by device type,the breakdown of the number of healthy network infrastructure devices bydevice type 394, and so forth. In addition, the graphical user interface300F can display a view of the health of network infrastructure devicesby network topology (not shown). This view can be interactive, such asby enabling a user to zoom in or out, pan left or right, or rotate thetopology (e.g., by 90 degrees).

In this example, the graphical user interface 300F also includes acolor-coded trend chart 3002 showing the performance of the networkinfrastructure devices over a specific time period; network health bydevice type tabs including a system health chart 3004 providing systemmonitoring metrics (e.g., CPU utilization, memory utilization,temperature, etc.), a data plane connectivity chart 3006 providing dataplane metrics, such as uplink availability and link errors, and acontrol plane connectivity chart 3008 providing control plane metricsfor each device type; an AP analytics user interface element includingan up and down color-coded chart 3010 that provides AP statusinformation (e.g., the number of APs connected to the network, and thenumber of APs not connected to the network, etc.) and a top number N ofAPs by client count chart 3012 that provides information about the APsthat have the highest number of clients; a network devices table 3014enabling a user to filter (e.g., by device type, health, or customfilters), view, and export network device information. A detailed viewof the health of each network infrastructure device can also be providedby selecting that network infrastructure device in the network devicestable 3014.

FIG. 3G illustrates a graphical user interface 300G, an example of ascreen for an overview of the health of client devices, which may benavigated to, for instance, by toggling the health overview tool 344.The graphical user interface 300G can include an SSID user interfaceselection element 3016 for viewing the health of wireless clients by allSSIDs or a specific SSID, a band frequency user interface selectionelement 3018 for viewing the health of wireless clients by all bandfrequencies or a specific band frequency (e.g., 2.4 GHz, 5 GHz, etc.),and a time slider 3020 that may operate similarly to the time slider398.

The graphical user interface 300G can also include a client healthsummary user interface element that provides similar information to thatshown in the graphical user interface 300E, such as the number ofhealthy clients as a percentage 384 and a color-coded trend chart 386indicating that percentage over a specific time period for each groupingof client devices (e.g., wired/wireless, device type, manufacturer,model, operating system, etc.). In addition, the client health summaryuser interface element can include a color-coded donut chart thatprovides a count of poor (e.g., red and indicating a client health scoreof 1 to 3), fair (e.g., orange and indicating a client health score of 4to 7), good (e.g., green and indicating a health score of 8 to 10), andinactive (e.g., grey and indicating a health score that is null or 0)client devices. The count of client devices associated with each color,health score, health descriptor, and so forth may be displayed by aselection gesture directed toward that color (e.g., tap, double tap,long press, hover, click, right-click, etc.).

The graphical user interface 300G can also include a number of otherclient health metric charts in all sites or a selected site over aspecific time period, such as:

-   -   Client onboarding times 3024;    -   Received Signal Strength Indications (RSSIs) 3026;    -   Connectivity signal-to-noise ratios (SNRs) 3028;    -   Client counts per SSID 3030;    -   Client counts per band frequency 3032;    -   DNS requests and response counters (not shown); and    -   Connectivity physical link state information 3034 indicating the        distribution of wired client devices that had their physical        links up, down, and had errors.

In addition, the graphical user interface 300G can include a clientdevices table 3036 enabling a user to filter (e.g., by device type,health, data (e.g., onboarding time>threshold, associationtime>threshold, DHCP>threshold, AAA>threshold, RSSI>threshold, etc.), orcustom filters), view, and export client device information (e.g., useridentifier, hostname, MAC address, IP address, device type, last heard,location, VLAN identifier, SSID, overall health score, onboarding score,connection score, network infrastructure device to which the clientdevice is connected, etc.). A detailed view of the health of each clientdevice can also be provided by selecting that client device in theclient devices table 3036.

FIG. 3H illustrates a graphical user interface 300H, an example of ascreen for an overview of the health of applications, which may benavigated to, for instance, by the toggling the health overview tool344. The graphical user interface 300H can include application healthsummary user interface element including a percentage 3038 of the numberof healthy applications as a percentage, a health score 3040 for eachapplication or type of application (e.g., business relevant, businessirrelevant, default; HTTP, VoIP, chat, email, bulk transfer,multimedia/streaming, etc.) running in the network, a top number N ofapplications by usage chart 3042. The health score 3040 can becalculated based on an application's qualitative metrics, such as packetloss, network latency, and so forth.

In addition, the graphical user interface 300H can also include anapplications table 3044 enabling a user to filter (e.g., by applicationname, domain name, health, usage, average throughput, traffic class,packet loss, network latency, application latency, custom filters,etc.), view, and export application information. A detailed view of thehealth of each application can also be provided by selecting thatapplication in the applications table 3044.

FIG. 3I illustrates an example of a graphical user interface 300I, anexample of a landing screen for the platform functions 210. Thegraphical user interface 300C can include various tools and workflowsfor integrating with other technology systems. In this example, theplatform integration tools and workflows include:

-   -   A bundles tool 3046 for managing packages of domain-specific        APIs, workflows, and other features for network programming and        platform integration;    -   A developer toolkit 3048 for accessing an API catalog listing        the available APIs and methods (e.g., GET, PUT, POST, DELETE,        etc.), descriptions, runtime parameters, return codes, model        schemas, and so forth. In some embodiments, the developer        toolkit 3048 can also include a “Try It” button to permit a        developer to experiment with a particular API to better        understand its behavior;    -   A runtime dashboard 3050 for viewing and analyzing basic metrics        or API and integration flow usage;    -   A platform settings tool 3052 to view and set global or        bundle-specific settings that define integration destinations        and event consumption preferences; and    -   A notifications user interface element 3054 for presenting        notifications regarding the availability of software updates,        security threats, and so forth.

Returning to FIG. 2, the controller layer 220 can comprise subsystemsfor the management layer 220 and may include a network control platform222, a network data platform 224, and AAA services 226. These controllersubsystems can form an abstraction layer to hide the complexities anddependencies of managing many network elements and protocols.

The network control platform 222 can provide automation andorchestration services for the network layer 230 and the physical layer240, and can include the settings, protocols, and tables to automatemanagement of the network and physical layers. For example, the networkcontrol platform 222 can provide the design functions 206, and theprovisioning functions 210. In addition, the network control platform222 can include tools and workflows for discovering switches, routers,wireless controllers, and other network infrastructure devices (e.g.,the network discovery tool 302); maintaining network and endpointdetails, configurations, and software versions (e.g., the inventorymanagement tool 304); Plug-and-Play (PnP) for automating deployment ofnetwork infrastructure (e.g., the network PnP tool 316), Path Trace forcreating visual data paths to accelerate the troubleshooting ofconnectivity problems, Easy QoS for automating quality of service toprioritize applications across the network, and Enterprise ServiceAutomation (ESA) for automating deployment of physical and virtualnetwork services, among others. The network control platform 222 cancommunicate with network elements using Network Configuration(NETCONF)/Yet Another Next Generation (YANG), Simple Network ManagementProtocol (SNMP), Secure Shell (SSH)/Telnet, and so forth. In someembodiments, the Cisco® Network Control Platform (NCP) can operate asthe network control platform 222

The network data platform 224 can provide for network data collection,analytics, and assurance, and may include the settings, protocols, andtables to monitor and analyze network infrastructure and endpointsconnected to the network. The network data platform 224 can collectmultiple types of information from network infrastructure devices,including Syslog, SNMP, NetFlow, Switched Port Analyzer (SPAN), andstreaming telemetry, among others.

In some embodiments, one or more Cisco DNA™ Center appliances canprovide the functionalities of the management layer 210, the networkcontrol platform 222, and the network data platform 224. The Cisco DNA™Center appliances can support horizontal scalability by addingadditional Cisco DNA™ Center nodes to an existing cluster; highavailability for both hardware components and software packages; backupand store mechanisms to support disaster discovery scenarios; role-basedaccess control mechanisms for differentiated access to users, devices,and things based on roles and scope; and programmable interfaces toenable integration with third-party vendors. The Cisco DNA™ Centerappliances can also be cloud-tethered to provide for the upgrade ofexisting functions and additions of new packages and applicationswithout having to download and install them manually.

The AAA services 226 can provide identity and policy services for thenetwork layer 230 and physical layer 240, and may include the settings,protocols, and tables to support endpoint identification and policyenforcement services. The AAA services 226 can provide tools andworkflows to manage virtual networks and security groups and to creategroup-based policies and contracts. The AAA services 226 can identifyand profile network infrastructure devices and endpoints usingAAA/RADIUS, 802.1X, MAC Authentication Bypass (MAB), web authentication,and EasyConnect, among others. The AAA services 226 can also collect anduse contextual information from the network control platform 222, thenetwork data platform 224, and the shared services 250, among others. Insome embodiments, Cisco® ISE can provide the AAA services 226.

The network layer 230 can be conceptualized as a composition of twolayers, an underlay 234 comprising physical and virtual networkinfrastructure (e.g., routers, switches, WLCs, etc.) and a Layer 3routing protocol for forwarding traffic, and an overlay 232 comprising avirtual topology for logically connecting wired and wireless users,devices, and things and applying services and policies to theseentities. Network elements of the underlay 234 can establishconnectivity between each other, such as via Internet Protocol (IP). Theunderlay may use any topology and routing protocol.

In some embodiments, the network controller 104 can provide a local areanetwork (LAN) automation service, such as implemented by Cisco DNA™Center LAN Automation, to automatically discover, provision, and deploynetwork devices. Once discovered, the automated underlay provisioningservice can leverage Plug and Play (PnP) to apply the required protocoland network address configurations to the physical networkinfrastructure. In some embodiments, the LAN automation service mayimplement the Intermediate System to Intermediate System (IS-IS)protocol. Some of the advantages of IS-IS include neighbor establishmentwithout IP protocol dependencies, peering capability using loopbackaddresses, and agnostic treatment of IPv4, IPv6, and non-IP traffic.

The overlay 232 can be a logical, virtualized topology built on top ofthe physical underlay 234, and can include a fabric data plane, a fabriccontrol plane, and a fabric policy plane. In some embodiments, thefabric data plane can be created via packet encapsulation using VirtualExtensible LAN (VXLAN) with Group Policy Option (GPO). Some of theadvantages of VXLAN-GPO include its support for both Layer 2 and Layer 3virtual topologies (overlays), and its ability to operate over any IPnetwork with built-in network segmentation.

In some embodiments, the fabric control plane can implement Locator/IDSeparation Protocol (LISP) for logically mapping and resolving users,devices, and things. LISP can simplify routing by removing the need foreach router to process every possible IP destination address and route.LISP can achieve this by moving a remote destination to a centralizedmap database that allows each router to manage only its local routes andquery the map system to locate destination endpoints.

The fabric policy plane is where intent can be translated into networkpolicy. That is, the policy plane is where the network operator caninstantiate logical network policy based on services offered by thenetwork fabric 120, such as security segmentation services, quality ofservice (QoS), capture/copy services, application visibility services,and so forth.

Segmentation is a method or technology used to separate specific groupsof users or devices from other groups for the purpose of reducingcongestion, improving security, containing network problems, controllingaccess, and so forth. As discussed, the fabric data plane can implementVXLAN encapsulation to provide network segmentation by using the virtualnetwork identifier (VNI) and Scalable Group Tag (SGT) fields in packetheaders. The network fabric 120 can support both macro-segmentation andmicro-segmentation. Macro-segmentation logically separates a networktopology into smaller virtual networks by using a unique networkidentifier and separate forwarding tables. This can be instantiated as avirtual routing and forwarding (VRF) instance and referred to as avirtual network (VN). That is, a VN is a logical network instance withinthe network fabric 120 defined by a Layer 3 routing domain and canprovide both Layer 2 and Layer 3 services (using the VXLAN VNI toprovide both Layer 2 and Layer 3 segmentation). Micro-segmentationlogically separates user or device groups within a VN, by enforcingsource to destination access control permissions, such as by usingaccess control lists (ACLs). A scalable group is a logical objectidentifier assigned to a group of users, devices, or things in thenetwork fabric 120. It can be used as source and destination classifiersin Scalable Group ACLs (SGACLs). The SGT can be used to provideaddress-agnostic group-based policies.

In some embodiments, the fabric control plane node 110 may implement theLocator/Identifier Separation Protocol (LISP) to communicate with oneanother and with the management cloud 102. Thus, the control plane nodesmay operate a host tracking database, a map server, and a map resolver.The host tracking database can track the endpoints 130 connected to thenetwork fabric 120 and associate the endpoints to the fabric edge nodes126, thereby decoupling an endpoint's identifier (e.g., IP or MACaddress) from its location (e.g., closest router) in the network.

The physical layer 240 can comprise network infrastructure devices, suchas switches and routers 110, 122, 124, and 126 and wireless elements 108and 128 and network appliances, such as the network controllerappliance(s) 104, and the AAA appliance(s) 106.

The shared services layer 250 can provide an interface to externalnetwork services, such as cloud services 252; Domain Name System (DNS),DHCP, IP Address Management (IPAM), and other network address managementservices 254; firewall services 256; Network as a Sensor(Naas)/Encrypted Threat Analytics (ETA) services; and Virtual NetworkFunctions (VNFs) 260; among others. The management layer 202 and/or thecontroller layer 220 can share identity, policy, forwarding information,and so forth via the shared services layer 250 using APIs.

FIG. 4 illustrates an example of a physical topology for a multi-siteenterprise network 400. In this example, the network fabric comprisesfabric sites 420A and 420B. The fabric site 420A can include a fabriccontrol node 410A, fabric border nodes 422A and 422B, fabricintermediate nodes 424A and 424B (shown here in dashed line and notconnected to the fabric border nodes or the fabric edge nodes forsimplicity), and fabric edge nodes 426A-D. The fabric site 420B caninclude a fabric control node 410B, fabric border nodes 422C-E, fabricintermediate nodes 424C and 424D, and fabric edge nodes 426D-F. Multiplefabric sites corresponding to a single fabric, such as the networkfabric of FIG. 4, can be interconnected by a transit network. A transitnetwork can be a portion of a network fabric that has its own controlplane nodes and border nodes but does not have edge nodes. In addition,a transit network shares at least one border node with each fabric sitethat it interconnects.

In general, a transit network connects a network fabric to the externalworld. There are several approaches to external connectivity, such as atraditional IP network 436, traditional WAN 438A, Software-Defined WAN(SD-WAN) (not shown), or Software-Defined Access (SD-Access) 438B.Traffic across fabric sites, and to other types of sites, can use thecontrol plane and data plane of the transit network to provideconnectivity between these sites. A local border node can operate as thehandoff point from the fabric site, and the transit network can delivertraffic to other sites. The transit network may use additional features.For example, if the transit network is a WAN, then features likeperformance routing may also be used. To provide end-to-end policy andsegmentation, the transit network should be cable of carrying endpointcontext information (e.g., VRF, SGT) across the network. Otherwise, are-classification of the traffic may be needed at the destination siteborder.

The local control plane in a fabric site may only hold state relevant toendpoints that are connected to edge nodes within the local fabric site.The local control plane can register local endpoints via local edgenodes, as with a single fabric site (e.g., the network fabric 120). Anendpoint that isn't explicitly registered with the local control planemay be assumed to be reachable via border nodes connected to the transitnetwork. In some embodiments, the local control plane may not hold statefor endpoints attached to other fabric sites such that the border nodesdo not register information from the transit network. In this manner,the local control plane can be independent of other fabric sites, thusenhancing the overall scalability of the network.

The control plane in the transit network can hold summary state for allfabric sites that it interconnects. This information can be registeredto the transit control plane by border nodes from different fabricsites. The border nodes can register EID information from the localfabric site into the transit network control plane for summary EIDs onlyand thus further improve scalability.

The multi-site enterprise network 400 can also include a shared servicescloud 432. The shared services cloud 432 can comprise one or morenetwork controller appliances 404, one or more AAA appliances 406, andother shared servers (e.g., DNS; DHCP; IPAM; SNMP and other monitoringtools; NetFlow, Syslog, and other data collectors, etc.) may reside.These shared services can generally reside outside of the network fabricand in a global routing table (GRT) of an existing network. In thiscase, some method of inter-VRF routing may be required. One option forinter-VRF routing is to use a fusion router, which can be an externalrouter that performs inter-VRF leaking (e.g., import/export of VRFroutes) to fuse the VRFs together. Multi-Protocol can be used for thisroute exchange since it can inherently prevent routing loops (e.g.,using the AS_PATH attribute). Other routing protocols can also be usedbut may require complex distribute-lists and prefix-lists to preventloops.

However, there can be several disadvantages in using a fusion router toachieve inter-VN communication, such as route duplication because routesleaked from one VRF to another are programmed in hardware tables and canresult in more TCAM utilization, manual configuration at multiple touchpoints wherever route-leaking is implemented, loss of SGT contextbecause SGTs may not be maintained across VRFs and must be re-classifiedonce the traffic enters the other VRF, and traffic hairpinning becausetraffic may need to be routed to the fusion router, and then back to thefabric border node.

SD-Access Extranet can provide a flexible and scalable method forachieving inter-VN communications by avoiding route duplication becauseinter-VN lookup occurs in the fabric control plane (e.g., software) suchthat route entries do not need to be duplicated in hardware; providing asingle touchpoint because the network management system (e.g., CiscoDNA™ Center) can automate the inter-VN lookup policy, making it a singlepoint of management; maintaining SGT context because the inter-VN lookupoccurs in the control plane node(s) (e.g., software), and avoidshair-pinning because inter-VN forwarding can occur at the fabric edge(e.g., the same intra-VN) so traffic does not need to hairpin at theborder node. Another advantage is that a separate VN can be made foreach of the common resources that are needed (e.g., a Shared ServicesVN, an Internet VN, a data center VN, etc.).

Extending Center Cluster Membership to Additional Compute Resources

The systems described above in FIG. 1-FIG. 4 are useful for managing anenterprise network. As referenced above, one aspect of managing anenterprise network involves adding additional compute resources such asnetwork controller appliances 104, authentication, authorization, andaccounting (AAA) appliances 106, wireless local area network controllers(WLCs) 108, fabric control plane nodes 110, border nodes 122,intermediate nodes 124, edge nodes 126, access points 128, and endpoints 130. In some embodiments, these compute resources can make up acluster which is made up of multiple independent computing entities thatcooperates with each other to achieve the same computational goal.

Entities within a cluster use some previously agreed protocol tocoordinate with each other. However, an entity that is to become a newmember of a cluster may have a different version of software or aprotocol which may be incompatible with that which is currently used inthe cluster. When this happens, the new member will not be able to jointhe cluster and acquire membership. Often such a problem requires asoftware or configuration modification prior to joining the cluster.Currently, this process can require administrator intervention, anddelays cluster formation.

In some embodiments, the present technology can communicate appropriatesoftware and configuration requirements to an entity attempting tobecome a new member of a cluster (or to update existing members withinthe cluster) by transferring a manifest file that contains necessaryinformation regarding appropriate software needed to join the cluster,where to download the software, and appropriate configurations.

FIG. 5 illustrates an example ladder diagram showing examplecommunications and a method used to add compute resources to an existingcluster of computing resources. The computing resources can be anycomputing resource whether physical or virtual and can provide anyfunction including networking, indexing, and storage, or computationaltype tasks.

The present technology can address the above problems by utilizingprovisioning function 210 of management cloud 102 to configure multiplelevels of the network (illustrated in FIG. 2) to be able toautomatically configure and accept a new compute resource into thecluster.

Prior to the first communication in the method illustrated in FIG. 5, afirst resource needs to be provisioned. Provisioning function 210 canconfigure the first resource to provide a function, and the firstresource can thereafter be used (as illustrated in FIG. 5) to configureevery additional resource joining the first resource in a cluster toprovide the function. Provisioning function 210 can be used at thedirection of a network administrator, or other functions of managementcloud 102 to configure the first resource. Configuring the firstresource can include defining an appropriate software package, includinga run time environment, versions, APIs, network configurations, etc.Whenever a resource is provisioned, the resource will generate and storea bundle including a Docker image (or another type of container)containing the software package and will create a manifest includinginformation regarding the software release versions, configurationsettings, and other data necessary for the appropriate configuration. Insome embodiments, the bundle can be stored directly on the firstresource, or it can be stored or managed by image repository 308.

Once the first resource has been configured, it can be used by newlyjoining resources, as outlined in FIG. 5, to ensure that every member ofa cluster is configured in the same way.

FIG. 5 illustrates a method 500 by which a new computing resource 502can join a cluster through communication with an existing cluster member501 (a previously configured resource) of the cluster and othermanagement cloud 102 resources.

Method 500 can begin when the new computing resource 502 initializes 510and executes firmware effective to run a preboot execution environmentprotocol wherein new computing resource 502 sends a preboot executionenvironment (PXE) request 511 to a preboot execution environment serverwhich receives the request. In response, the preboot executionenvironment server sends a boot image including software kernel definingthe operating environment used by the existing cluster member(s) 501 tothe new resource 502 joining the cluster to initialize the new resource502 joining the cluster.

The new computing resource 502 can receive the boot image and initialize513 using the boot image. These steps ensure that the new computingresource 502 is running the proper kernel.

In some embodiments, steps 511, 512, and 513 are optional as indicatedby the dashed lines. In some embodiments, the new computing resource 502is already running the proper kernel and steps 511, 512, and 513 can beskipped. In some embodiments, the new resource 502 joining the clustersimply does not perform steps 511, 512, and 513. In some embodiments,the preboot execution environment boot fails and therefore either doesnot perform steps 511, 512, and 513, or the effect of performing thesteps is the same as if they have not been performed. These steps areoptional because all resources will already include a Linux or Windowskernel and any software necessary to utilize a manifest, describedbelow. The Linux kernel is natively able to execute a Docker container,and resources running the Windows kernel under the control of themanagement cloud 102 include additional software needed to execute aDocker container. As will be described below, the software in the Dockercontainer is able to otherwise update the new resource 502 to be able tojoin the cluster.

Whether or not, the new computing resource 502 has performed the prebootexecution environment boot 513, new computing resource 502 can request517 a manifest from an existing cluster member 501. In order to knowwhere to send request 517, new computing resource 502 can receive acommunication from management cloud 102 directing the new computingresource 502 to join an existing cluster. The communication frommanagement cloud 102 can provide instructions to make the manifestrequest 517 and direct it to one or more existing cluster members 501.In some embodiments, the new resource 502 might prompt the user throughthe management cloud 102 to provide an IP address of a member of theexisting cluster to which the new resource 502 is to join.

An existing member 501 of the cluster can receive the manifest request517 and either redirect the request to another existing member 501 ofthe cluster that has been designated for handling such requests, or itcan respond. In response to the receiving the request, the existingcluster member 501 can send 518 the requested manifest includinginformation describing protocols, APIs, versions, identification of asoftware package(s), information (a pointer) for retrieving the softwarepackage, configuration parameters, file format information, pathinformation, data schemas, etc. In addition to the information in themanifest, the existing member 501 of the cluster can send a seed packagefor a certificate authority (e.g., public and private keys) that will beused as a basis of mutual trust between the new computing resource 502and the existing cluster member(s) 501 in the cluster going forward.

In some embodiments, the manifest request 517 can include informationabout the existing software environment and configuration the newresource 502 is currently running, and the existing cluster member 501can determine that the new computing resource is not running the sameversion of the software bundle as the existing cluster member 501. Insome embodiments, the existing cluster member 501 can determine thedifferences between the existing software environment and configurationof the new member 502 compared to the existing cluster member 501. Insuch embodiments, the existing cluster member 501 can prepare a manifestthat identifies the differences in configurations.

In some embodiments, the manifest request can include instructions tothe new entity 502 joining to request and receive the Docker image froma docket daemon. In some embodiments, the existing cluster member 501can send a Docker image containing software package(s) needed forparticipation in the cluster.

After receipt of the manifest, new computing resource 502 can process519 the manifest data and install authentication information, such assoftware required for a distributed certificate authority. In someembodiments, authentication services such as the distributed certificateauthority can be provided by AAA Service 226 of the management cloud102.

As directed by the manifest, the new computing resource 502 can thenrequest 522 the software package, and the request can be received 522 bya software package repository. In response, the software packagerepository can provide the software package to the new computingresource 502, which can run the software package 523. Examples of asoftware package include, but are not limited to executable Dockercontainers, Java executable, etc.

In some embodiments, the software package is a Docker image. The Dockerimage contains the following software to install: kernel loadablemodules, Deb, apk, pip, or whl packages, golang dependent packages, javasoftware (including jars), new libraries/binaries, new ansibleorchestrations playbooks, new configuration files, etc. When this Dockerimage is run to completion, it ensures the new cluster member is runningall identical software versions, and they are configured in a compatibleway.

To facilitate such a Docker image to be available on the cluster,whenever a cluster software version is updated, it is required togenerate a bundle as a part of the upgrade package that contains all thesoftware updated into a Docker image and tagged with the releaseversion. This image will be downloaded by a cluster member whenever asoftware update of the cluster is initiated. That way if a cluster keepsmoving from a software version to another, a new member will alwaysreceive whatever latest version the cluster is running, and will beupgraded later along with the rest of the members of the cluster. Thatway all members of a cluster are guaranteed to run the identical versionof cluster software.

Now that the new computing resource 502 has all of the necessarysoftware and configurations to be a part of the clusters, the newcomputing resource 502 can attempt to join the cluster 526 by requestingits membership to be authenticated 527 by a certificate authority. Thecertificate authority can receive the request 527 to authenticate thenew computing resource and to accept the new computing resource as amember of the cluster of computing resources, and in response 528, thecertificate authority can accept the membership of the new computingresource. In some embodiments, the certificate authority can bedistributed.

While the present technology has been primarily discussed in the contextof the systems shown herein, such as shown in FIG. 1-FIG. 5 that isdesigned to manage an enterprise network, the present technology isapplicable to any system in which expanding cluster membership isdesired. Any system wherein current cluster members, or an orchestrationservice, can send a manifest that includes all information necessary fora new resource to automatically download and install necessary softwareversions, set up the proper configurations, and learn the properauthentication to join the cluster is contemplated by the presenttechnology.

FIG. 6 shows an example of computing system 600, which can be forexample any computing device making up network controller appliances104, authentication, authorization, and accounting (AAA) appliances 106,wireless local area network controllers (WLCs) 108, fabric control planenodes 110, border nodes 122, intermediate nodes 124, edge nodes 126,access points 128, end points 130, or management cloud 102 or anycomponent thereof in which the components of the system are incommunication with each other using connection 605. Connection 605 canbe a physical connection via a bus, or a direct connection intoprocessor 610, such as in a chipset architecture. Connection 605 canalso be a virtual connection, networked connection, or logicalconnection.

In some embodiments, computing system 600 is a distributed system inwhich the functions described in this disclosure can be distributedwithin a datacenter, multiple datacenters, a peer network, etc. In someembodiments, one or more of the described system components representsmany such components each performing some or all of the function forwhich the component is described. In some embodiments, the componentscan be physical or virtual devices.

Example system 600 includes at least one processing unit (CPU orprocessor) 610 and connection 605 that couples various system componentsincluding system memory 615, such as read-only memory (ROM) 620 andrandom access memory (RAM) 625 to processor 610. Computing system 600can include a cache of high-speed memory 612 connected directly with, inclose proximity to, or integrated as part of processor 610.

Processor 610 can include any general purpose processor and a hardwareservice or software service, such as services 632, 634, and 636 storedin storage device 630, configured to control processor 610 as well as aspecial-purpose processor where software instructions are incorporatedinto the actual processor design. Processor 610 may essentially be acompletely self-contained computing system, containing multiple cores orprocessors, a bus, memory controller, cache, etc. A multi-core processormay be symmetric or asymmetric.

To enable user interaction, computing system 600 includes an inputdevice 645, which can represent any number of input mechanisms, such asa microphone for speech, a touch-sensitive screen for gesture orgraphical input, keyboard, mouse, motion input, speech, etc. Computingsystem 600 can also include output device 635, which can be one or moreof a number of output mechanisms known to those of skill in the art. Insome instances, multimodal systems can enable a user to provide multipletypes of input/output to communicate with computing system 600.Computing system 600 can include communications interface 640, which cangenerally govern and manage the user input and system output. There isno restriction on operating on any particular hardware arrangement, andtherefore the basic features here may easily be substituted for improvedhardware or firmware arrangements as they are developed.

Storage device 630 can be a non-volatile memory device and can be a harddisk or other types of computer readable media which can store data thatare accessible by a computer, such as magnetic cassettes, flash memorycards, solid state memory devices, digital versatile disks, cartridges,random access memories (RAMs), read-only memory (ROM), and/or somecombination of these devices.

The storage device 630 can include software services, servers, services,etc., that when the code that defines such software is executed by theprocessor 610, it causes the system to perform a function. In someembodiments, a hardware service that performs a particular function caninclude the software component stored in a computer-readable medium inconnection with the necessary hardware components, such as processor610, connection 605, output device 635, etc., to carry out the function.

For clarity of explanation, in some instances, the present technologymay be presented as including individual functional blocks includingfunctional blocks comprising devices, device components, steps orroutines in a method embodied in software, or combinations of hardwareand software.

Any of the steps, operations, functions, or processes described hereinmay be performed or implemented by a combination of hardware andsoftware services or services, alone or in combination with otherdevices. In some embodiments, a service can be software that resides inmemory of a client device and/or one or more servers of a contentmanagement system and perform one or more functions when a processorexecutes the software associated with the service. In some embodiments,a service is a program, or a collection of programs that carry out aspecific function. In some embodiments, a service can be considered aserver. The memory can be a non-transitory computer-readable medium.

In some embodiments the computer-readable storage devices, mediums, andmemories can include a cable or wireless signal containing a bit streamand the like. However, when mentioned, non-transitory computer-readablestorage media expressly exclude media such as energy, carrier signals,electromagnetic waves, and signals per se.

Methods according to the above-described examples can be implementedusing computer-executable instructions that are stored or otherwiseavailable from computer readable media. Such instructions can comprise,for example, instructions and data which cause or otherwise configure ageneral purpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.Portions of computer resources used can be accessible over a network.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, firmware, orsource code. Examples of computer-readable media that may be used tostore instructions, information used, and/or information created duringmethods according to described examples include magnetic or opticaldisks, solid state memory devices, flash memory, USB devices providedwith non-volatile memory, networked storage devices, and so on.

Devices implementing methods according to these disclosures can comprisehardware, firmware and/or software, and can take any of a variety ofform factors. Typical examples of such form factors include servers,laptops, smart phones, small form factor personal computers, personaldigital assistants, and so on. Functionality described herein also canbe embodied in peripherals or add-in cards. Such functionality can alsobe implemented on a circuit board among different chips or differentprocesses executing in a single device, by way of further example.

The instructions, media for conveying such instructions, computingresources for executing them, and other structures for supporting suchcomputing resources are means for providing the functions described inthese disclosures.

Although a variety of examples and other information was used to explainaspects within the scope of the appended claims, no limitation of theclaims should be implied based on particular features or arrangements insuch examples, as one of ordinary skill would be able to use theseexamples to derive a wide variety of implementations. Further andalthough some subject matter may have been described in languagespecific to examples of structural features and/or method steps, it isto be understood that the subject matter defined in the appended claimsis not necessarily limited to these described features or acts. Forexample, such functionality can be distributed differently or performedin components other than those identified herein. Rather, the describedfeatures and steps are disclosed as examples of components of systemsand methods within the scope of the appended claims.

The invention claimed is:
 1. A computer-implemented method comprising:sending, by a computing resource, a request to join a computing clusterincluding at least one member; receiving, in one or more communications,a reply including metadata describing requirements to join the computingcluster and a reference to a software bundle used by devices in thecomputing cluster; installing the software bundle; and establishingmembership in the computing cluster.
 2. The computer-implemented methodof claim 1, wherein the request to join the cluster is a request to theat least one member of the computing cluster for the metadata describingrequirements to join the computing cluster.
 3. The computer-implementedmethod of claim 2, comprising: installing a software or configurationupdate by the at least one member of the computing cluster; andgenerating the software bundle containing the software or configurationincluded in the update and labeling the software bundle with a releaseversion.
 4. The computer-implemented method of claim 1, wherein thereceiving of the reply including the reference to the software bundle isa result of a determination made by a member of the computing clusterthat the computing resource is not running the same version of thesoftware bundle as the at least one member of the computing cluster. 5.The computer-implemented method of claim 1, comprising: prior to thesending of the request to join the computing cluster, sending a prebootexecuting environment request; receiving a boot image in response to thepreboot execution environment request; and initializing, by thecomputing resource, using the received boot image.
 6. Thecomputer-implemented method of claim 1, wherein the metadata describingrequirements to join the computing cluster includes membershipauthentication information, the method comprising: authenticating, bythe computing resource, using the membership authentication informationprior to the establishing membership in the cluster.
 7. Thecomputer-implemented method of claim 1, wherein the software bundle iscontained in a Docker container that is executable by the computingresource.
 8. A distributed computing management system for managing acluster of computing resources comprising: an existing member of thecluster of computing resources to receive a request for informationneeded to join the cluster of computing resources from a computingresource, and in response, to send information describing protocols,identification of a software package, information for retrieving thesoftware package, configuration parameters, and authenticationinformation to the computing resource; and a software package repositoryto receive a request from the computing resource and in response toprovide the software package to the computing resource.
 9. Thedistributed computing management system of claim 8 comprising: thecomputing resource to receive the response from the software packagerepository and to execute the software package, thereby configuring thecomputing resource with all necessary software and configurations tojoin the cluster of computing resources.
 10. The distributed computingmanagement system of claim 8, wherein the software package is a Dockercontainer.
 11. The distributed computing management system of claim 8,comprising: a certificate authority to receive a request to authenticatethe computing resource and to accept the computing resource as a memberof the cluster of computing resources, and in response, to accept thecomputing resource as a member of the cluster.
 12. The distributedcomputing management system of claim 8, comprising: a preboot executionenvironment server to receive a preboot execution environment requestfrom the computing resource that is not part of the cluster of computingresources, and to send a boot image used by the cluster of computingresources to the computing resource to initialize the computingresource.
 13. The distributed computing management system of claim 8,wherein the existing member of the cluster of computing resources isconfigured to install a software or configuration update, and generatethe software package containing the software or configuration includedin the update and labeling the software package with a release version.14. A non-transitory computer-readable medium comprising instructionsstored thereon that when executed are effective to cause one or moreprocessors of a management cloud system to: send, by a computingresource, a request to join an existing computing cluster including atleast one member; receive, in one or more communications, a replyincluding metadata describing requirements to join the computing clusterand a reference to a software bundle used by devices in the computingcluster; install the software bundle; and establish membership in thecomputing cluster.
 15. The non-transitory computer-readable medium ofclaim 14, wherein the request to join the cluster is a request to the atleast one member of the computing cluster for the metadata describingrequirements to join the existing computing cluster.
 16. Thenon-transitory computer-readable medium of claim 15, wherein theinstructions are effective to cause one or more processors of themanagement cloud system to: installing a software or configurationupdate by the at least one member of the computing cluster; andgenerating the software bundle containing the software or configurationincluded in the update and labeling the software bundle with a releaseversion.
 17. The non-transitory computer-readable medium of claim 14,wherein the receiving of the reply including the reference to thesoftware bundle is a result of a determination made by a member of theexisting computing cluster that the computing resource is not runningthe same version of the software bundle as the at least one currentmember of the existing computing cluster.
 18. The non-transitorycomputer-readable medium of claim 14, wherein the instructions areeffective to cause one or more processors of the management cloud systemto: send a preboot executing environment request prior to the sending ofthe request to join the existing computing cluster; receive a boot imagein response to the preboot execution environment request; andinitialize, by the computing resource, using the received boot image.19. The non-transitory computer-readable medium of claim 14, wherein themetadata describing requirements to join the existing computing clusterincludes membership authentication information, wherein the instructionsare effective to cause one or more processors of the management cloudsystem to: authenticate, by the computing resource, using the membershipauthentication information prior to the establishing membership in theexisting cluster.
 20. The non-transitory computer-readable medium ofclaim 14, wherein the software bundle is contained in a Docker containerthat is executable by the computing resource.